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1. A secure communication method for allowing a mobile host to commimicate 
with a correspondent iiost over a Virtual Private Network via a Security Gateway (SG), 
the method comprisingVhe steps of: 

(1) negotiating ohe or more Secxirity Associations (SAs) between the mobile 
host and a correspondent host of a Virtual Private Network (VPN); 

(2) subsequently initiating a communication between the mobile host and the SG 
and sending an authentication certificate to the SG, the certificate containing at least the 
identity of a SA which will be used for subsequent communication between the mobile 
host and the correspondent host 

(3) sending data packets\from the mobile host to the correspondent host using 

'^l the identified SA, via the SG; am 

P'^ (4) wherein said data packks are forwarded by the SG to the correspondent host 

Iz \ 

only if they are authenticated by tho^ SG. 

01 

2. A method according to claim \l and comprising, prior to step (2), negotiating one 
or more Security Associations (SAsMKetween the mobile host and the SG and sending 

f J said authentication certificate to the/SG i^(ng one of the SAs. 

Oil ^ 

3. A method according to claim l,\ivherein said authentication certificate contains 
an IP address of the mobile host. 

4. A method according to claim 1, whe^rein said SAs are IPsec phase 2 SAs and are 
used on top of an ISAKMP SA. 

5. A method according to claim 4, wherein said authentication certificate contains 
the ISAKMP cookies of the mobile host 1 andVaid correspondent host, with which the 
phase 2 negotiation was done. 

6. A method according to claim 1, wherein the SG is coupled between the intranet 
and a core network of a mobile wireless telecommunications system. 
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7. A ikethod according to claim 1, wherein the mobile host is a wireless host 
coupled to thaSG via an access network. 

8. A methoovaccording to claim 1, wherein the VPN comprises an intranet, with the 
SG being coupled between the intranet and the Intemet. 

9. A method according to claim 8, wherein said correspondent host resides within 
the intranet and said data packets are forwarded to the correspondent host from the SG 
over a secure connection\ 

10. A method according to claim 1, wherein a negotiated SA expires after a 
predefined volume of data has\been sent using the SA. 

11. A method according to claim 1, wherein a negotiated SA is time limited by the 
SG and, at the end of a predefined tdme-limit,^e SA is suspended by the SG. 

12. A method according to claim\l,ywlierein the data packets sent in step (3) and 
which contain user data are authenticat;ed byvthe SG using authentication data sent in 
separate data packets. 

13. A method according to claim 2, wfterein the data packets sent in step (3) and 
which contain user data are authenticated by\the SG using authentication data sent in 
separate data packets, and wherein the data paclcets containing user data are sent using a 
Security Association (SA) negotiated between the mobile host and said correspondent 
host and the data packets containing authenticatoon data are sent using a Security 
Association (SA) negotiated between the mobile hos\ and the SG. 

14. A Security Gateway (SG) of a Virtual Private Network, the SG enabling secure 
communication between a mobile host and a correspondent host, the SG comprising: 

(1) means for negotiating one or more Security Associations (SAs) between the 
mobile host and the Security Gateway (SG); 
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(2) means for subsequently initiating a communication between the mobile host 
and the SG using a negotiated SA and for receiving an authentication certificate sent 
from the mobile host, the certificate containing at least the identity of the mobile host 
and an IP address of the mobileShost; 

(3) means for receivings data packets sent firom the mobile host and for 
authenticating the data packets; anc 

(4) means for forwarding thfe data packets fi-om the SG to said correspondent 
host providing that the received data packets are authenticated. 



15. A secure communication methoa\fbr allowing a mobile host to commimicate 
with a correspondent host over a Virtual Rm ate Network, the method comprising the 
steps of: 

(1) negotiating one or more Security^ Associations (SAs) between the mobile 
host and a Security Gateway (SG) of a Virtual mivate Network (VPN); 

(2) subsequently initiating a communicatibn between the mobile host and the SG 
using a negotiated SA and sending an authentication certificate to the SG, the certificate 
containing at least the identity of the mobile host ana an EP address of the mobile host; 

(3) sending data packets firom the mobile hosj to the SG and authenticating the 
data packets at the SG; and 

(4) providing that the received data packets arh authenticated, forwarding the 
data packets fi-om the SG to said correspondent host. 



